chore(sentry): suppress ms-browser-extension + about: CSP noise (round 2 triage)

[koala73]

Summary

Round-2 Sentry triage on top of #3460 (now merged). Two more CSP-violation issues that fall through the existing shouldSuppressCspViolation filter, both clearly third-party noise:

• WORLDMONITOR-JM (39 events / 21 users on Edge): font-src blocked ms-browser-extension://... — Microsoft Edge's extension scheme, the variant of chrome|moz|safari(?:-web)?-extension our regex already handled. Extended the regex to (?:chrome|moz|safari(?:-web)?|ms-browser)-extension so blockedURI and sourceFile matches stay symmetric.
• WORLDMONITOR-JQ (23 events / 18 users on Samsung Internet / Tizen): frame-src blocked about (scheme-only) — Smart TV browsers, ad-injectors, and some extensions create about:blank / about:srcdoc iframes. We never set frame src to about:* ourselves. New branch suppresses bare about plus any about:* URI.

Both issues marked resolved/inNextRelease in Sentry — they auto-reopen if the suppression somehow misses them after deploy.

Two issues from the same triage pass were intentionally left open rather than filtered:

• WORLDMONITOR-66 (TimeoutError: signal timed out, 82/72): the existing signal timed out rule in beforeSend is stack-gated by design, since AbortSignal-based timeouts CAN come from our own fetch calls. Old, low-volume, no actionable lead.
• WORLDMONITOR-P1 (Dodo checkout declined, 3/2): deliberate operational signal at src/components/checkout-failure-banner.ts:32 (Sentry.captureMessage(..., { level: 'warning' })). Low volume, intentional.

Test plan

• npm run typecheck — PASS
• npm run typecheck:api — PASS
• CJS syntax check on all scripts/*.cjs — PASS
• npm run lint (biome) — 0 errors
• npm run test:data — 7522/7522
• Edge function bundle check — PASS
• node --test tests/edge-functions.test.mjs — 178/178
• npm run lint:md — 0 errors
• npm run version:check — 2.8.0 sync OK
• tests/csp-filter.test.mjs — 49/49 (+5: ms-browser-extension URI, ms-browser-extension source, about scheme-only, about:blank, about:srcdoc)
• Verify in production after deploy: JM/JQ events stop accumulating

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
worldmonitor	Ready	Preview, Comment	Apr 27, 2026 2:21pm

[greptile-apps]

Greptile Summary

Adds two targeted CSP-violation suppressions to shouldSuppressCspViolation: the ms-browser-extension:// scheme for legacy Edge extensions (symmetric with the existing chrome/moz/safari regex), and bare about / about:* blocked URIs from extension-injected iframes on Smart TV browsers. Both changes are well-commented, correctly anchored (^), and covered by five new unit tests.

Confidence Score: 4/5

Safe to merge; changes are narrow filter additions with no impact on legitimate violation reporting.

Only P2 findings present. The single observation is a minor inconsistency (missing sourceFile guard on the about: branch vs. how blob: is handled) that leaves a narrow missed-suppression gap but introduces no false-suppression risk or security concern.

No files require special attention; src/main.ts line 556 has a minor consistency note.

Important Files Changed

Filename	Overview
src/main.ts	Extends extension-scheme regex to include ms-browser-extension:// (Edge) and adds about:/about:* suppression; the about: branch omits a sourceFile check that the analogous blob: rule includes.
tests/csp-filter.test.mjs	Adds 5 new test cases covering ms-browser-extension URI, ms-browser-extension sourceFile, about scheme-only, about:blank, and about:srcdoc — all well-targeted at the new filter branches.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[CSP violation event] --> B{disposition == 'report-only'?}
    B -- yes --> SUPPRESS[return true / suppress]
    B -- no --> C{connect-src + cspAllowsHttps?}
    C -- yes --> D{HTTPS URI?}
    D -- yes --> SUPPRESS
    D -- no --> E{YouTube IFrame API?}
    E -- yes --> SUPPRESS
    E -- no --> F{Zscaler frame-src?}
    F -- yes --> SUPPRESS
    F -- no --> G{"extension scheme?\n(chrome|moz|safari|ms-browser)-extension"}
    G -- yes --> SUPPRESS
    G -- no --> H{"blob: / eval / inline / data?"}
    H -- yes --> SUPPRESS
    H -- no --> I{"about or about:* (NEW)"}
    I -- yes --> SUPPRESS
    I -- no --> J{"android-webview / manifest /\nthird-party injectors / localhost"}
    J -- yes --> SUPPRESS
    J -- no --> REPORT[return false / send to Sentry]

Loading

Comments Outside Diff (1)

1. src/main.ts, line 556 (link)

   Missing sourceFile check for about:

   The analogous blob: rule (line 550) guards both sourceFile and blockedURI. The new about: branch only checks blockedURI, so a CSP violation where sourceFile is about:blank (e.g. an extension-injected about:blank frame that itself triggers a violation) would not be suppressed here, unlike blob events from a similar origin.

_{Reviews (1): Last reviewed commit: "chore(sentry): suppress ms-browser-exten..." | Re-trigger Greptile}